CVSS: 5.4EPSS: 0%CPEs: 14EXPL: 0CVE-2018-20239
https://notcve.org/view.php?id=CVE-2018-20239
30 Apr 2019 — Application Links before version 5.0.11, from version 5.1.0 before 5.2.10, from version 5.3.0 before 5.3.6, from version 5.4.0 before 5.4.12, and from version 6.0.0 before 6.0.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the applinkStartingUrl parameter. The product is used as a plugin in various Atlassian products where the following are affected: Confluence before version 6.15.2, Crucible before version 4.7.0, Crowd before version 3.4.3... • https://ecosystem.atlassian.net/browse/APL-1373 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 94%CPEs: 4EXPL: 6CVE-2019-3398 – Atlassian Confluence Server and Data Center Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2019-3398
18 Apr 2019 — Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server... • https://packetstorm.news/files/id/155235 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 94%CPEs: 4EXPL: 26CVE-2019-3396 – Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability
https://notcve.org/view.php?id=CVE-2019-3396
25 Mar 2019 — The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection. La macro de Widget Connector en Atlassian... • https://packetstorm.news/files/id/161065 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 12%CPEs: 4EXPL: 0CVE-2019-3395 – Atlassian Confluence SSRF / Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-3395
25 Mar 2019 — The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.8.5 (the fixed version for 6.8.x), and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) allows remote attackers to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance via Server-Side Request Forgery. El endpoint WebDAV en Atlassian Confluence Server and Data Center en versiones anteriores a la 6.6.7 (la versión so... • https://jira.atlassian.com/browse/CONFSERVER-57971 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2018-20237
https://notcve.org/view.php?id=CVE-2018-20237
13 Feb 2019 — Atlassian Confluence Server and Data Center before version 6.13.1 allows an authenticated user to download a deleted page via the word export feature. Atlassian Confluence Server and Data Center, en versiones anteriores a la 6.13.1, permite que un usuario autenticado descargue una página eliminada mediante la característica de exportación de palabras. • http://www.securityfocus.com/bid/107041 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.5EPSS: 1%CPEs: 7EXPL: 1CVE-2017-7415 – Confluence 6.0.x Information Disclosure
https://notcve.org/view.php?id=CVE-2017-7415
26 Apr 2017 — Atlassian Confluence 6.x before 6.0.7 allows remote attackers to bypass authentication and read any blog or page via the drafts diff REST resource. Atlassian Confluence 6.x antes de 6.0.7 permite a los atacantes remotos eludir la autenticación y leer cualquier blog o página a través del recurso drafts diff REST. The Confluence drafts diff rest resource made the current content of all blogs and pages in Confluence available without authentication. Attackers who can access the Confluence web interface of a vu... • http://www.securityfocus.com/bid/97961 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 1%CPEs: 30EXPL: 0CVE-2016-6668 – Atlassian HipChat Secret Key Disclosure
https://notcve.org/view.php?id=CVE-2016-6668
06 Oct 2016 — The Atlassian Hipchat Integration Plugin for Bitbucket Server 6.26.0 before 6.27.5, 6.28.0 before 7.3.7, and 7.4.0 before 7.8.17; Confluence HipChat plugin 6.26.0 before 7.8.17; and HipChat for JIRA plugin 6.26.0 before 7.8.17 allows remote attackers to obtain the secret key for communicating with HipChat instances by reading unspecified pages. El Atlassian Hipchat Integration Plugin para Bitbucket Server 6.26.0 en versiones anteriores a 6.27.5, 6.28.0 en versiones anteriores a 7.3.7 y 7.4.0 en versiones an... • http://packetstormsecurity.com/files/139004/Atlassian-HipChat-Secret-Key-Disclosure.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 3CVE-2012-6342
https://notcve.org/view.php?id=CVE-2012-6342
13 May 2014 — Cross-site request forgery (CSRF) vulnerability in logout.action in Atlassian Confluence 3.4.6 allows remote attackers to hijack the authentication of administrators for requests that logout the user via a comment. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en logout.action en Confluence versión 3.4.6 de Atlassian, permite a los atacantes remotos secuestrar la autenticación de administradores para las peticiones que cierran la sesión del usuario por medio de un comentario. • http://archives.neohapsis.com/archives/bugtraq/2013-01/0066.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.1EPSS: 68%CPEs: 17EXPL: 3CVE-2012-2926 – Atlassian Tempo 6.4.3 / JIRA 5.0.0 / Gliffy 3.7.0 - XML Parsing Denial of Service
https://notcve.org/view.php?id=CVE-2012-2926
22 May 2012 — Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vecto... • https://packetstorm.news/files/id/181107 •
CVSS: 9.1EPSS: 1%CPEs: 29EXPL: 0CVE-2012-2928
https://notcve.org/view.php?id=CVE-2012-2928
22 May 2012 — The Gliffy plugin before 3.7.1 for Atlassian JIRA, and before 4.2 for Atlassian Confluence, does not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors. El complemento Gliffy para Atlassian JIRA v3.7.1, y en version anteriores ala v4.2 para Atlassian Confluence, no restringe correctamente las capacidades de los analizadores XML de tercer nivel, lo que permite leer fic... • http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-05-17 • CWE-264: Permissions, Privileges, and Access Controls •